{"data":{"id":"01f89e2e-0b6e-45a0-b94b-b52ec2ce54a6","title":"CVE-2025-46725: Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `Lanc","summary":"Langroid, a Python framework for building AI applications, has a vulnerability in versions before 0.53.15 where the `LanceDocChatAgent` component uses pandas eval() (a function that executes Python code stored in strings) in an unsafe way, allowing attackers to run malicious commands on the host system. The vulnerability exists in the `compute_from_docs()` function, which processes user queries without proper protection.","solution":"Upgrade to Langroid version 0.53.15 or later. The fix involves input sanitization (cleaning and filtering user input) to the affected function by default to block common attack vectors, along with added warnings in the project documentation about the risky behavior.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-46725","publishedAt":"2025-05-20T18:15:46.580Z","cveId":"CVE-2025-46725","cweIds":["CWE-94"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":[],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Langroid"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00113,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-242"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}